~ Security Researcher, Linux Tinkerer, Ukulele Strummer

Truecrypt or Falsecrypt?

Most people concerned with privacy, have heard of the software encryption program TrueCrypt. For those of you who haven’t, by all means head on over Truecrypt.org to see what it’s all about.

Debate has been raging quite hotly on this matter and it’s worth mentioning that an audit of Truecrypt’s source code has been promised, although there’s some doubt as to whether the executable files available from Truecrypt’s main page actually represent a compiled version of the source code. To see fresh developments, please visit http://www.istruecryptauditedyet.com.

In my own case as a humble researcher, I have decided to sum up both sides of the argument and explain why I’ve decided to restrict my use of it.

Advantages:
– Truecrypt has a very easy to use interface is great for people who want to be able to protect their data quickly and easily. (Although please see my separate post – Don’t Fear the Command Line!). In particular it’s very easy to encrypt multiple files by placing them in a container. The website (link above) has some excellent step by step guides on how to do this.

– For Windows users, it’s possible to quickly encrypt your entire system so that if the device were stolen/seized it wouldn’t be possible to decrypt the data with the right password. More info on system encryption and what it can and can’t do for you here.

– Truecrypt allows you to use more than one encryption algorithm in a single volume. While the current “big three” AES, Serpent and Twofish are supposedly sufficiently robust on their own, if any of them were to be broken, you’d have the peace of mind of knowing that the other two would protect your data.

– By use of the hidden volume feature in Truecrypt you can hide your secret files in a hidden container with one password and have some plausible looking dummy files in an outer container protected with another. As such if you live in a country with oppressive laws which require you to provide your password or face jail like the UK you can safely provide the password for the outer container without compromising your truly secret files. The jury is still out on what the courts will do if Police think you have a hidden volume but cryptographically it’s virtually impossible to prove.
– Truecrypt allows you to easily set up keyfiles to open an encrypted volume in addition to a password. This dovetails nicely with the traditional security maximum of “something you have and something you know”, otherwise known as Two Factor Authentication. This is technically possible using the Linux Command line but is not as easy to implement.

– The Licence used as stated above is not free in the sense that developers cannot modify the source code to make a version of Truecrypt for a particular operating system. For this reason Truecrypt isn’t included in Debian Linux. It also isn’t very easy to make your own version either.

– For the Windows versions at least, there are some security concerns. Certain random data is saved to the “header” of a Truecrypt volume. It’s possible this is a backdoor. (If you think it isn’t possible to put a back door into publicly available code and get away with it see here). A full analysis of the exact vulnerability is available from the Ubuntu Privacy remix site.

N.B I have not touched on weaknesses such as hardware keyloggers, ‘Evil Maid’ and cold boot attacks simply because these flaws aren’t specific to Truecrypt. For a more general discussion of potential vulnerabilities when encrypting your data please see my post on “Encryption Best Practices.”

So in summary Truecrypt is only free in the sense of a brochure in your local hotel. You can’t alter it to suit your needs and you don’t necessarily know who wrote it.
Aside from the fact that it’s foolish to rely on any one program to secure all your data, Truecrypt raises many unanswered questions which is why I’ve begun to stop using it altogether. To see some alternatives for securing your data please feel free to see my post on “Alternatives to Truecrypt.”